Heimdal
Home > Cybersecurity News

ConnectWise ScreenConnect Subdomain Listed as IoC in CISA’s BlackCat Ransomware Advisory

Researchers Warn Major Ransomware Gangs Exploit CVE-2024-1709.

Last updated on February 29, 2024

article featured image

Contents:

A subdomain related to ScreenConnect appears as an Indicator of Compromise (IoC) on CISA`s #StopRansomware: ALPHV Blackcat joint advisory update.

Fisa99.screenconnect[.]com, which is a ScreenConnect remote access domain, is listed in Table 4, as a network IoC.

In their advisory, the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Health and Human Services (HHS) also warned that ALPHV Blackcat affiliates are targeting the healthcare sector.

Additionally, on February 22nd, CISA added a critical vulnerability in ScreenConnect to their Known Exploited Vulnerabilities Catalog. The advisory urged U.S. federal agencies to patch vulnerable servers by February 29.

More about the ScreenConnect Vulnerability

CVE-2024-1709 is an authentication bypass flaw that attackers can use for direct access to confidential information or critical systems.

Hackers can exploit the ScreenConnect vulnerability to create admin accounts on publicly exposed assets. Further on, threat actors could act as a system admin.

The flaw`s CVSS score is 10, the highest possible. CVE-2024-1709 impacts ConnectWise ScreenConnect versions 23.9.7 and prior.

ConnectWise released a patch for the flaw in few days after discovering it. They advised admins using on-premise software to update servers to ScreenConnect version 23.9.8.

Ransomware groups are exploiting the ScreenConnect vulnerability

Few days after ConnectWise disclosed CVE-2024-1709, researchers found proofs that LockBit, Black Basta and Bl00dy are already exploiting the vulnerability.

LockBit managed to restore their servers, after law enforcement temporarily disrupted their activity.

Patching CVE-2024-1709 should now be a top priority for any Security Admin.

Some of the prevention measures CISA recommends against ransomware are:

  • Periodically check for authorized and unauthorized devices and software in your network
  • Patch known exploited vulnerabilities and CVEs
  • Use multi-factor authentication and a strong password policy
  • Close unused ports to avoid port scan attacks
  • Remove unnecessary software

If you liked this article, follow us on LinkedIn, Twitter, Facebook, and Youtube, for more cybersecurity news and topics.

Author Profile

Livia Gyongyoși

Communications and PR Officer

Livia Gyongyoși is a Communications and PR Officer within Heimdal®, passionate about cybersecurity. Always interested in being up to date with the latest news regarding this domain, Livia's goal is to keep others informed about best practices and solutions that help avoid cyberattacks.

Related Articles

8 Best ConnectWise Competitors & Alternatives in 2024 [Features, Pricing & Reviews]Lockbit Disrupted. Police Arrests Staff Members and Gives Victims Free DecryptorFBI Disrupts BlackCat Ransomware Threat Group Activity – The Essential FactsAutomated Patch Management Explained: Definition, Benefits, Best Practices & MoreHow to Use DNS IoCs to Prevent Ransomware AttacksRansomware Prevention Checklist: Safeguarding Your Digital AssetsFive Ways Heimdal® Can Help You Protect Against Ransomware AttacksWhat Is Multi-Factor Authentication (MFA)?

Leave a Reply

Your email address will not be published. Required fields are marked *

CHECK OUR SUITE OF 11 CYBERSECURITY SOLUTIONS

SEE MORE
linkedin
youtube
facebook
x

resources

company

newsletter

© 2024 Heimdal®

Vat No. 35802495, Vester Farimagsgade 1, 2 Sal, 1606 København V